Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Latest Citadel trick allows RDP access after malware's removal

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Attackers have updated Citadel with a new “trick” that gives them device access even after the banking malware has been detected and removed by administrators, a security firm found.

According to Trusteer, an IBM company, the access is maintained through native Windows remote desktop protocol (RDP) capabilities, a Tuesday blog post by the firm said.

Etay Maor, prevention solutions manager at Trusteer, explained in the post that Citadel has offered fraudsters virtual network connection (VNC) capabilities since it emerged – a feature allowing access similar to RDP. Citadel's new configuration, however, allows fraudsters a heightened level of persistence, giving hackers RDP access, even if the malware and its VNC capabilities are removed, Maor wrote.

Once a device is infected with Citadel, malware operators run Windows shell commands, which allow them to add a new user to the system's local administrator group. Once they've accomplished this feat, attackers then go one to add a new user to the local RDP group, and set the password to “never expire,” Maor continued.

“Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities,” his blog post said. “The attacker has set up a backup back door into the infected device.”

These exploits could go unnoticed since the use of Windows-native RDP capabilities may be assumed legitimate by enterprises (the protocol is often used for technical support, for instance), he explained.

In a Thursday interview with SCMagazine.com, Maor said that the updated malware had targeted Australia and a small number of countries in Asia. Trusteer discovered the new Citadel “trick” this month, Maor added.

“The security team is still watching to see if it propagates,” Maor said. He later explained that the updated threat may be limited in its impact, for now, as attackers used hardcoded shell commands – meaning each command tags the same username (coresystem) and password (Lol117755C) to the created administrator group.

“I think its [use] may be limited, because the shell commands are hardcoded; they don't change. Every command will add the same password to the same group, which is not very scalable,” Maor said.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.